free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Avoid nfs altogether

Bob Mottram 7 years ago
parent
33b7625b77
commit
e634287f32
3 changed files with 1 additions and 63 deletions
Split View Show Diff Stats
  1. 1
    2
      src/freedombone-image-customise
  2. 0
    38
      src/freedombone-tests
  3. 0
    23
      src/freedombone-utils-setup

+ 1
- 2
src/freedombone-image-customise View File 

@@ -1039,7 +1039,6 @@ function image_setup_utils {
1039 1039 
     chroot "$rootdir" apt-get -yq dist-upgrade
1040 1040 
     chroot "$rootdir" apt-get -yq install ca-certificates
1041 1041 
     chroot "$rootdir" apt-get -yq install apt-utils
1042 
-    chroot "$rootdir" apt-get -yq install nfs-kernel-server
1043 1042
1044 1043 
     if [[ $ARCHITECTURE == 'amd64' ]]; then
1045 1044 
         chroot "$rootdir" apt-get -yq install linux-image-amd64
 
@@ -1206,7 +1205,7 @@ function image_setup_utils {
1206 1205 
     chroot "$rootdir" apt-get -yq install tripwire
1207 1206
1208 1207 
     # filesystem optimisations
1209 
-    sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' $rootdir/etc/fstab
1208 
+    #sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' $rootdir/etc/fstab
1210 1209 
 }
1211 1210
1212 1211 
 function image_install_nodejs {

+ 0
- 38
src/freedombone-tests View File 

@@ -844,26 +844,6 @@ function test_stig {
844 844 
     output "V-38641" $? ${SETLANG}
845 845 
     ################
846 846
847 
-    ##RHEL-06-000269
848 
-    ##Remote file systems must be mounted with the nodev option.
849 
-    if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then
850 
-        bash $STIG_TESTS_DIR/check-nfs.sh nodev >/dev/null 2>&1 &
851 
-
852 
-        stig_spinner $!
853 
-        output "V-38652" $? ${SETLANG}
854 
-    fi
855 
-    ################
856 
-
857 
-    ##RHEL-06-000270
858 
-    ##Remote file systems must be mounted with the nosuid option.
859 
-    if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then
860 
-        bash $STIG_TESTS_DIR/check-nfs.sh nosuid >/dev/null 2>&1 &
861 
-
862 
-        stig_spinner $!
863 
-        output "V-38654" $? ${SETLANG}
864 
-    fi
865 
-    ################
866 
-
867 847 
     ##RHEL-06-000271
868 848 
     ##The noexec option must be added to removable media partitions.
869 849 
     if [ "$(grep -Hv ^0$ /sys/block/*/removable | sed s/removable:.*$/device\\/uevent/ | xargs grep -H ^DRIVER=sd | sed s/device.uevent.*$/size/ | xargs grep -Hv ^0$ | cut -d / -f 4 | wc -l)" -gt 0 ];then
 
@@ -946,15 +926,6 @@ function test_stig {
946 926 
     output "V-38675" $? ${SETLANG}
947 927 
     ################
948 928
949 
-    ##RHEL-06-000309
950 
-    ##The NFS server must not have the insecure file locking option enabled.
951 
-
952 
-    bash $STIG_TESTS_DIR/check-nfs-insecure.sh > /dev/null 2>&1 &
953 
-
954 
-    stig_spinner $!
955 
-    output "V-38677" $? ${SETLANG}
956 
-    ################
957 
-
958 929 
     ##RHEL-06-000319
959 930 
     ##The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
960 931 
 
@@ -1046,15 +1017,6 @@ function test_stig {
1046 1017 
     output "V-38462" $? ${SETLANG}
1047 1018 
     ################
1048 1019
1049 
-    ##RHEL-06-000515
1050 
-    ##The NFS server must not have the all_squash option enabled.
1051 
-
1052 
-    bash $STIG_TESTS_DIR/check-nfs-all-squash.sh > /dev/null 2>&1 &
1053 
-
1054 
-    stig_spinner $!
1055 
-    output "V-38460" $? ${SETLANG}
1056 
-    ################
1057 
-
1058 1020 
     ##RHEL-06-000523
1059 1021 
     ##The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
1060 1022

+ 0
- 23
src/freedombone-utils-setup View File 

@@ -381,15 +381,6 @@ function create_completion_file {
381 381 
     fi
382 382 
 }
383 383
384 
-function disable_nfs_insecure_locks {
385 
-    apt-get -yq install nfs-kernel-server
386 
-    if grep 'insecure_locks' /etc/exports; then
387 
-        sed -i 's|,insecure_locks||g' /etc/exports
388 
-        sed -i 's|insecure_locks,||g' /etc/exports
389 
-        exportfs -a
390 
-    fi
391 
-}
392 
-
393 384 
 function remove_management_engine_interface {
394 385 
     # see https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt
395 386 
     # Disabling this interface doesn't cure the problems of ME, but it
 
@@ -488,9 +479,6 @@ function disable_ctrl_alt_del {
488 479 
 }
489 480
490 481 
 function lockdown_permissions {
491 
-    if [ -d /etc/fs/nfs ]; then
492 
-        remove_nfs
493 
-    fi
494 482 
     if [ -d /root/.npm ]; then
495 483 
         find /root/.npm -name package.json -exec chmod 700 {} \;
496 484 
     fi
 
@@ -625,11 +613,6 @@ function create_usb_canary {
625 613 
     mark_completed $FUNCNAME
626 614 
 }
627 615
628 
-function remove_nfs {
629 
-    apt-get -yq remove nfs-kernel-server
630 
-    apt-get -yq remove nfs-common
631 
-}
632 
-
633 616 
 function setup_firewall {
634 617 
     function_check create_completion_file
635 618 
     create_completion_file
 
@@ -700,9 +683,6 @@ function setup_utils {
700 683 
     function_check proc_filesystem_settings
701 684 
     proc_filesystem_settings
702 685
703 
-    function_check remove_nfs
704 
-    remove_nfs
705 
-
706 686 
     function_check optimise_filesystem
707 687 
     optimise_filesystem
708 688 
 
@@ -730,9 +710,6 @@ function setup_utils {
730 710 
     function_check remove_bluetooth
731 711 
     remove_bluetooth
732 712
733 
-    function_check disable_nfs_insecure_locks
734 
-    disable_nfs_insecure_locks
735 
-
736 713 
     function_check set_login_umask
737 714 
     set_login_umask
738 715